Highlighted
Contributor.
Contributor.
249 views

Fortify FPR to SARIF

Jump to solution

The "What's New in Fortify v20.1" webcast mentioned something about displaying FPR results directly in Git by converting the FPR to SARIF? Can somebody explain this and point me at additional resources for this?

0 Likes
1 Solution

Accepted Solutions
Highlighted
2 Replies
Highlighted
Highlighted
Micro Focus Expert
Micro Focus Expert

We are actively working on integrating Fortify with GitHub; this includes starting Fortify scans from GitHub workflows, and reporting Fortify results back onto the GitHub security dashboard. We have similar efforts going on for other providers like GitLab, but in this post I'll focus on our GitHub integration efforts.

Current progress can be seen at https://github.com/fortify-actions, which hosts various GitHub Actions that can be called from your GitHub workflows, as well as various example projects that illustrate how to use these actions in sample workflows.

This is still work in progress; we may be adding, changing or removing actions as we see fit, and we haven't decided on a final location for these actions yet (maybe they will be moved to https://github.com/fortify). So you can play around with these actions, but we do not yet recommend to use these in production environments.

In particular, reporting Fortify issues back onto the GitHub security dashboard is still very much in progress. We are looking into various options for generating the SARIF file that is used by GitHub to populate the security dashboard, and in fact the GitHub security dashboard itself is still in beta.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.